Krebs on Security

In-depth security news and investigation

Hospital Sues Bank of America Over Million-Dollar Cyberheist

A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.

In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1 , one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.

On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.

Bank of America was ultimately able to claw back roughly $400,000 of the fraudulent payroll payments. But in a complaint (PDF) filed against the bank, the hospital alleges that an employee on the Chelan County Treasurer’s staff noticed something amiss the following Monday — April 22, 2013 — and alerted the bank to the suspicious activity.

“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.”

Chelan County alleges breach of contract, noting that the agreement between the county and the bank incorporates rules of the National Automated Clearinghouse Association (NACHA), and that those rules require financial institutions to implement a risk management program for all ACH activities; to assess the nature of Chelan County’s ACH activity; to implement an exposure limit for Chelan County; to monitor Chelan County’s ACH activity across multiple settlement dates; and to enforce that exposure limit. The lawsuit alleges that Bank of America failed on all of those counts, and that it ran afoul of a Washington state law governing authorized and verified payment orders.

In a response (PDF) filed with the U.S. District Court for the Eastern District of Washington at Spokane, Bank of America denied nearly all of the allegations in the lawsuit, including that it ignored the hospital’s warning not to process the $603,575 payment batch.

The bank noted that its contractual obligations with the county are governed by the Uniform Commercial Code (UCC), which has been adopted by most states (including Washington). The UCC holds that a payment order received by the [bank] is “effective as the order of the customer,whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

This cyberheist mirrors attacks against dozens of other businesses over the past five years that have lost tens of millions of dollars at the hands of crooks armed with powerful banking Trojans such as ZeuS. It’s not clear what strain of malware was used in this attack, but the money was funneled through a cashout gang that this blog has tied to cyberheists orchestrated by organized crooks who distributed ZeuS via email spam campaigns.

Business and consumers operate under vastly different rules when it comes to banking online. Consumers are protected by Regulation E, which dramatically limits the liability for those who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).

Businesses, however, do not enjoy such protections. The victim organization’s bank may decide to reimburse the victim for some of the losses, but beyond that the only recourse for the victim is to sue the their bank. Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.

So, if you run a business and you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

This entry was posted on Tuesday, March 3rd, 2015 at 10:28 am and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

51 comments

I can’t even transfer $1000 between my accounts with Chase or my account access gets frozen. I am surprised that these banks don’t flag large transfers immediately and require account holder verbal auth with a pin code for something over 50k or so. Its just laziness and cheapness, you can hire 100 people for $10 an hour to just do verification for all customers.

There are many businesses for whom such a policy would be disruptive because they have a legitimate need for timely transfers of unpredictable sums. It is a reasonable and seemingly practical safeguard but not actually so simple to implement in reality.

On that note, can you clear something up for me? I have been told (admittedly potentially incorrectly) that a state drivers license, is a valid form of ID, for up to 2 years AFTER the expiration date of the DL. (Which makes sense, since the expiration is on your license to operate a vehicle, not an expiration of who you are) However, my bank, where I make a regular monthly wire for the same amount to the same person every month, refused to process a transfer when I presented my expired by 1 month DL. Not as a matter of going back and saying “I told you so” but just as a matter of knowledge, is declining to process a transfer with an expired DL something that is required by law (as they claimed) or rather a matter of policy? Their excuse was that the federal govt has increased the restrictions on transfers to fight laundering / terrorism, thus an expired DL was no longer valid ID.

The Hospital will lose. Laws are clear. I’ve followed many similar cases in the last 4-5 years and the banks have won 100% of the time. If proper steps were taken to prevent the malware it would not have been an issues. But, …”it won’t happen to me” is the vast majorities mindset. Sad.

If a hospital employee let a Trojan into the system via email attachment or other means, the hospital has some degree of responsibility for the loss. There is no mention of this in any of the material (the hospital would conveniently leave this out), but Brian does mention the possibility of the Zeus troajn. If this is the case, I think it is doubtful the hospital will prevail.

It would greatly alleviate such incidences as this if the businesses/banks considered this possibility when an account is established and set up safeguards then.

There are some numbers that phishing attacks can be 70% successful at getting someone to open an attachment or go to a website. If its worded in line with a normal email an employee receives it can be even higher.

Most businesses do not understand there is added costs for tech, one is the support contracts 20%, then another 15% for security. For every 1 million in tech its 350,000 for support minimum, 1.35m. Most managers do not understand this and keep asking for more technology everywhere, when in many cases they should be spending on re-engineering existing environments for security and reduced complexity.

No one seems to be mentioning that in this particular case, allegedly a Bank of America employee asked the Chelan County Treasurer’s office if the transfer was authorized – before any money had been transferred – and got back an answer of No.
Yet the money was transferred anyway.
It seems that would make a huge difference in the outcome of this case.

No one’s mentioning it? Brian did in this article. Or do you mean that commenters aren’t mentioning it?

BoA certainly mentioned it, and their response denies it ever happened. If it can be proved that it did, I agree that it should make a difference. IANAL, but my read of “whether or not authorized” from the UCC would be that the bank can treat a transaction as legit without requesting authorization. Once an employee chooses to ask for authorization and authorization was explicitly denied, it’s a different story.

Did that happen here? Chelan claims it did, BoA says it didn’t. *If* Chelan can prove it happened I’d think they have a strong case. I’m interested to see how this shakes out.

I think that a major portion of the lawsuit will hinge on the following:

” Bank of America provided Chelan County and the Taxing Districts with Bank of America software for use in processing payroll requests via direct deposit. At all times material to this lawsuit, Chelan County and the Taxing Districts used the software provided by Bank of America. ”

If the software was defective and or contributed to the loss, then I suspect the bank may be held liable or at least partially liable.

Bank of America’s assertion that they have no legal obligation to cover the loss under the UCC is specious and irrelevant. If the article reports the facts correctly, the bank has a moral obligation under the terms of the service agreement with Chelan County. The moral obligation trumps the legal nonsense.

Hiding behind legalistic loopholes might win the case for B of A in court, but it reveals a shameful lack of integrity. Civilization depends on people honoring their agreements, not on compliance with heartless, contradictory laws written by politicians and bureaucrats.

B of A should do the right thing here, and that includes not only covering the loss their own agreement says they should have prevented, but also implementing the safeguards specified by that agreement — safeguards that will prevent similar crimes with other customers in the future.

Good article and right on target with the bank doing zero as I had a counterfeit cashier’s check go right through my account and I’m stuck, so as long as the basic routing information is there, banks do nothing with scanning for other items that might indicate the check is not real.

I keep telling everyone and I can’t get the right attention here that when you think of Anthem having 80 million files, all they need is basic SQL skills and they can manipulate stolen data to look like authentic real data for sale. Look at the sites opening up to exchange data? Nobody is minding the shop here.

Again with all this Anthem data, can you imagine what the hackers can do? Even the Anonymous folks commented to me as well on this topic, they don’t like them either and call them “digital criminals” who are very scary. Fact of the matter is that we have very smart hackers who are in fact mathematicians or folks with those skills doing this work.

Again I go back to the campaign I started over 3 years ago requiring a license to sell data so first of all we know who they are and second, where do we go as consumers to fix flawed data? When you are repackaged with no data trail to trace, you’re stuck and I have that situation right now. Bad or flawed data gets the same price as good data…sad but they don’t care when the market for data selling is over $180 billion a year, just in the US.

I’m worried that certain market interests are making money from this, as in Kreb’s article on the makers of TurboTax. When the bottom line is affected, you won’t go against that – this is one of the primary flaws with an unregulated Market system.

With my UK bank, I have to employ 2-Factor Authentication with a ChipCard Reader to set up a new Payee, and repeat it when I make the 1st payment to said new Payee, and/or if I ever change any of the Bank details of a pre-existing Payee.
I don’t have to use 2-Factor Authentication to make any payment up to £20,000 (circa $30,000) to a pre-existing Payee, so in theory that’s the weak point in the chain, if anyone was to steal my basic login credentials.

You’re obviously a time-traveling sorcerer from the future, with your references to 2FA and ‘chipcard’ and other manners of banking magic. Your suggestions of wizardry are ineffective here in the land of Stone Age financial systems because they would cost the banks money, as opposed to the losses which are easily passed along to the hapless caveman victims who dot this land.

I just want to say it’s not always the banks Visa is implementing chip cards it’s the merchants who do not want to upgrade because it is going to cost them to upgrade their systems they have to buy all new processing boxes as you have seen at targets and some of the big merchants and old boxes still at other places. The banks are already processing chip cards to the majority of the people as the cards expire they are trying to issue new cards but they will not be encoded like that if old boxes they run just like regular debit cards.

In general, I’m a big fan of hardware gadgets to help security, such as the new U2F tokens (hey Brian, that would be a good article, once they get the NFC version done).

HOWEVER, I must note that if the victim computer has a trojan on it, almost all 2-factor approaches do not help. That’s why, if you are handling a lot of money, it’s important that you use a single-purpose, clean computer such as Brian links to. A Google chromebook is also an excellent, super-secure choice.

If my PC was compromised, the SMS text message from my bank with the authorization code would still show the actual amount and recipient account.
Likewise for an app-based solution, likewise for a chip-reader based verification with teh reader having a sperate display to verify the transaction details.

Which 2FA systems you think can be cicumvented by compromising the user´s PC?
Never mind that using a seperate PC for bank transfers is a sound idea. It might just not be feasible for a large organization lie a hospital with integrated ERP systems. Plus in this case it was, as I understand, not the banking as such that was comproised but non-existent staff was added to the payroll software. An isolated PC could hardly handle the HR department.

The second 2FA PC/device may or may not be the same PC/device as the first authentication. It depends on what is specified as the second 2FA method by the financial institution (in-band or out-of-band) and/or what method the user specifies (SMS, email, phone call, etc and which whether the communication is with the same or different PC/device).

My bank in the Netherlands has just sent me a token that I find brilliant. It has a camera that is used to read a QR code that is displayed on the computer screen. It then shows you the transaction details, and (after you type in your PIN) it generates a signature code.

There are many great high-tech solutions out there, but they are expensive. Would it work in card present transactions? Can you imagine the service time as people wait for a code to be generated, for an image to be captured, to be transmitted, to be accepted and another code to be displayed? Merchants, especially high volume merchants, would be aghast. How does it work in an area without wireless service? We need a simpler and more robust solution.

Congress it slow on its ass to mandate universal security standards for these companies. It really isn’t rocket science to be at least semi protected, they can at least start with the basics. lol.

At the hospitals around here they even encrypt their messages. Let alone not filtering OUTGOING, or letting people use their drives, or or download things from emails, or go to any website they want, which run scripts. Its nuts. This was in Washington? lmao.

Chase told me they have the same protection for business accounts that they do for personal; thankfully I’ve never needed to test this (and hope I never will). I think more and more larger banks will offer this and the smaller banks will be put out of business. I would never house significant sums of money at any small bank because I know they probably can’t afford the protections they need.

I think at the same time more and more when there is glaring negligence on the part of organizations banks will refuse to continue taking the losses.

I was at a presentation some time back given by a prosecutor who ran a major cybercrime division. He said banks lose a lot to the criminals (more then people realize) and eventually business will need to bear more of the brunt of responsibility for very poor security practices. I think there will be a bar set for reasonable due cue soon, and that is as it should be.

Here’s another easy fix: if you have a large amount of money to protect then keep it in a main account in which all electronic transactions are “disallowed,” (transfer by check only), and write checks from this to your disbursement accounts. This would guarantee the only way you could lose money is when your financial institution is hacked internally. When the bad guys go to transfer the cash it won’t work, if they try to deposit and remove cash then you’re not losing anything.

With all that said I can tell you working in the field it’s much harder to maintain a robust and secure security posture then it is to dictate it. You can spend all your time securing everything, and the nasty folks will find the holes you miss most of the times these days.

The way BoA reacted to the economic crisis, I would have zero confidence in anything they said to me. If they were able to bring a successful civil fraud case against them, you know a federal felony case could have been prosecuted against many more individuals at that institution!

Chris – you made an interesting point. Most payroll accounts I know carry a nominal balance and get funded (monies transferred in) just before payday. On the other hand, if the crooks have been watching, they would know this pattern and time their strike according.

>Bhuddah Chris – in my experience (nine years on a Red Team), the complexity of large banks means many more attack surfaces, personnel who don’t know each other, and disparate systems inherited from bank acquisitions. This leads to some rather interesting perforations to exploit. Depending on management “buy in” – smaller banks can be VERY TIGHT. Less complex operations, tighter HR controls, succinct information security programs, and long term employees who voraciously cover every virtual port.
So more often than not, opposite is true – the large bank may throw more money at security, but it doesn’t mean they get it right.
I couldn’t even start to weigh in on this B of A case… unless there is a recording saying the transaction is unauthorized. Then I would have an opinion.

I bet BANA recorded the initial call from Chelan County Public Hospital. But BANA probably disabled call recording for the subsequent call back to the hospital. Chelan should start using call recording for all their calls with BANA.

By the way, BANA’s response to paragraph 6 of the Complaint is rather amusing.

“6. Chelan County, Washington is a county of approximately 72,000 people. The county seat is Wenatchee. ”

– Response:
“BANA is without sufficient knowledge or information to form a belief
as to the truth or falsity of the allegations contained in Paragraph 6 of the
Complaint and, therefore, denies the same. “

Most of us think of security as an “add on” to our lives, mandated only by the bad guys… is there a third path where we truly embrace it – make it a national goal? That sounds sort of like paranoia, but we live in a new world now. It wasn’t like this in the 70’s, 80’s, and 90’s.

As in many things of life’s activities (and not just comedy), timing is everything — if the phone company’s time-stamp on the phone call made between bank and hospital clearly represent a point prior to the time-stamp of the actual transfer, then the bank failed to heed direct instruction by the hospital, whatever the reason for their internal lapse. The bank thus made the transfer in spite of explicit denial for authorization in response to their own request for confirmation. The facts of that sequence of events should render legal liability very clear and wholly to the bank insofar as whatever jury panel gets to hear this case, unless the bank officer is somehow claiming the hospital officer’s statement of explicit denial for authorization was not comprehensible or did not occur.

The Hospital may loose but I applaud their effort. Of course it isn’t really the Hospital that had their money stolen, it was the taxpayers. By the time one considers Federal, State, and Local funding sources, grants, donations, etc… the loss affects more of us.

It is time that our dysfunctional Congress pulled it together long enough to change some of those laws that allow negligent entities, be they human or corporate, to escape punishment. That will undoubtedly take a long time as the taxpayers will not only be fighting those elected to ‘serve’ them but also the lobbyists that serve those who are supposed to serve us but who serve the lobbyists instead. It is almost an impossible task to actually have an affect on elected officials these days. They care much more about what the lobbyists will do for them than what their constituents will do to them. And, why shouldn’t they? They know that most citizens don’t vote so why waste your time actually serving and assisting them? Its the lobbyists, the money givers, they want to please.

Until we can pass laws making it a crime to neglect proper security protocols, to not even have proper security procedures in writing and in place, to not encrypt sensitive information that should be encrypted, to allow employees to use weak passwords or no passwords at all, the crime of stealing from everyone in this country will continue.

The only real power we, the average citizens, have is the power to vote and that only works when we use it in unison. Get involved and involve others. Create change. Don’t sit still while you are constantly being raped by digital thieves. Do something about it. It all starts with your vote.

Brian – It will be an honor and a pleasure to see you at CEIC 2015 in May. I am bringing my copy of your book in hope you will grant a few autographs.

Chelan County and all other public agencies in Washington state need to cancel all BofA accounts. The ultimate loser here is the taxpayer. In my humble opinion, BofA and their high priced execs are dishonest, dishonorable people.

Scammers pulling this type of theft have been known to flood the victim’s phones with calls (like a telephonic denial of service attack) to prevent phone communication between the bank and victim while the money is being moved.

Is it so much of a stretch to imagine that the thieves would call the victim themselves and ask if the transfer is authorized, so that the victim has a false sense of security and doesn’t call the bank if they notice unauthorized activity?

I’d expect them to:
A. Change the phone numbers on the account
B. Hack the PBX to possibly prevent call delivery
C. Hijack the dns like registry for phone numbers and use it to interfere with verification

I suspect that a lot of the criminals doing this are not all that sophisticated, and that they just bought a Zeus kit and tricked someone at the hospital into installing it. Spoofing the bank’s phone number and calling the hospital’s bookkeeping department to create a false sense of security with a fake authorization call requires a lot less sophistication than actually messing with their phone system.

The issue of commercial companies getting compromised & account transfers has been going on for quite some time.

What I haven’t seen is a publicly published set of best practices that would mitigate the risk AND address who is liable. That is, if company follows XYZ practices then they are protected from liability for the fraudulent transfer. If the practices are inconvenient then the company has to make a choice between convenience and safety.

This isn’t necessarily going to be a slam dunk for the bank. Some people have already raised the factual conflict between the bank and the hospital on actual authorization.

In addition, according to the bank’s answer, the out for the bank exists only if “the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer”.

The requirement of commercial standards of fair dealing could easily require more than what the bank is doing.

In response to some other comments here–
Don’t assume reported decisions are an accurate representation of where the law on this is going. Banks settle cases that they perceive they’re going to lose to avoid creating adverse precedent. I’m not sure that’ll go on forever, though, and a case like this, because of Washington’s Public Records laws, may be one where the process is more transparent than usual.